Using .htaccess to restrict access to Files and Directories

by Remy Pereira on 11th February 2019

Apache allows access to everything inside the Document Root folder by default. This means all the sub directories and their contents can be listed and accessed. However you can use .htaccess to harden the security of your Apache Server. The .htaccess is a configuration file, which if detected will be executed by Apache.

If you already have a .htaccess file in your Document Root Folder, back it up before making any changes. Edit or create a new .htaccess file.

Three most important security settings you should consider adding to your .htaccess file are:

1. Deny Access to .htaccess Itself

Add the following lines in your .htaccess file to prevent access to .htaccess file itself.


# Deny access to .htaccess
<Files .htaccess>
Order allow,deny
Deny from all
</Files>


2. Disable Directory Indexing

The following line in .htaccess will remove directory indexing and make the server respond with a 403 forbidden message.


# Disable directory browsing 
Options -Indexes

To simply hide all the contents of the directory without forbidden message, use the IndexIgnore directive.


# Hide the contents of directories
IndexIgnore *

To hide some filetypes only, use


# Hide files of type .png, .zip, .jpg, .gif and .doc from listing
IndexIgnore *.png *.zip *.jpg *.gif *.doc

3. Prevent access to certain files

Even if you remove directories and files from listing, they are still accessible if you type the path.

To remove unauthorized access to cetain file extensions, use


# Deny access to files with extensions .ini, .psd, .log, .sh
<FilesMatch "\.(ini|psd|log|sh)$">
Order allow,deny
Deny from all

</FilesMatch>

To prevent access to all filenames starting with dot(.) like .htaccess, .htpasswd, .env and others use


# Deny access to filenames starting with dot(.)
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>

You may also password protect files and directories and store the passwords in a .htpasswd file


# Password protect files
<FilesMatch "^(execute|index|myfile|anotherfile)*$">
AuthType Basic
AuthName "Mypassword"
AuthUserFile <Full Server Path to .htpasswd file>/.htpasswd
Require valid-user
</FilesMatch>

Replace the <Full Server Path to .htpasswd file> with your actual path.

You may also place .htaccess file inside each sub-directory with specific over-rides. The access rules can be directly defined inside Apache's main configuration file httpd.conf. But if you don't have access to the main configuration file (which is normally the case if your using a shared hosting service), you have to resort to .htaccess based access rules.

Note: Over-riding httpd.conf settings using .htaccess is only allowed if the AllowOverride Directive is set inside httpd.conf which is the default case.


Post a comment

Comments

Jimbocous | May 27, 2024 5:26 AM |

Worth noting that starting with Apache 2.4 the whole "Order Allow,Deny" thing will be going away, to be replaced by the <Require All> <Require Any> functions. Still supported for now, but better to future proof the installation.

gintare | May 24, 2017 10:23 PM |

# Order allow, deny Deny from all for me produces internal server error. Sorry have no logs. Maybe some other modules should be enabled before i apply this rule?

Hi-Speed | December 22, 2020 2:21 PM |

Put your allow and deny in with a capital A....Order Allow,Deny

fred | April 15, 2018 6:51 PM |

Poor quality control Order allow, deny is invalid Need to be Order allow,deny (without the space)

Hi-Speed | December 22, 2020 2:23 PM |

Try Order Allow,Deny

Pedro | March 4, 2019 7:12 PM |

This says nothing about how to prevent access to a directory (as the title indicates)!

Chencho | February 13, 2020 7:22 PM |

Yes, It does! Options -Indexes

Chris Schendel | May 24, 2019 12:31 AM |

yes, it does

Chencho | February 13, 2020 7:24 PM |

Very usefull! Thanks for that

CoolAbhi1290 | December 19, 2019 8:36 PM |

Hey! I have a file known as "global". It has all the logos, images, and CSS. I don't want people to be browsing in the directories, but I do want to allow their browsers to use these resources. How do I do that?

tom | February 26, 2019 10:41 AM |

Hello. thank you for this. Is it possible to only use password and not both username and password? thank you

Bob | February 22, 2019 9:45 PM |

Shouldn't this: <FilesMatch "^(execute|index|myfile|anotherfile)*$"> be: <FilesMatch "^(execute|index|myfile|anotherfile).*$"> without the . the regex won't capture any file extension and the rule won't apply.

Jan Kalina | February 5, 2019 11:23 PM |

"Order allow, deny" is incorrect! The space between comma and deny will cause Internal Server Error. Please fix.

Remy Pereira | February 11, 2019 11:05 AM |

Thanks for pointing that out. Article updated now.

Techguy | January 31, 2019 5:28 PM |

You need to remove the space after "allow, deny" or apache2 will complain. it should be: Order allow,deny

Remy Pereira | February 11, 2019 11:05 AM |

Thanks for pointing that out. Article updated now.

Anthony | November 29, 2018 7:44 AM |

If you set up authentication, you also MUST ensure the directory is only served using the HTTPS protocol. Doing this from a ".htaccess" file is tricky but possible.

Prisd | August 25, 2018 1:27 PM |

I network my web application so that it is access by other computer on the network e.g 192.168.10.1/website. But i don't want those on other computer to be able to access myphpadmin and localhost. I just want them to have access to 192.168.10.1/website. Is that possible?

gintare | May 25, 2017 8:59 PM |

The full working code is here : For some reason Using is giving the errors. But if use simple "Deny from all", or "Allow from all" - it works.